May 13, 2024 • 28 mins
Welcome to an insightful episode of Breakfast Bytes, featuring an in-depth discussion about Zero-Trust Cybersecurity, a vital approach to modern cybersecurity practices. Understand why this network layer protection strategy is essential to guard your business and residential networks against harmful threats.
From a reflective analysis of the cybersecurity landscape four years ago, Felicia highlights the repercussions of a weak cybersecurity posture, emphasizing the necessity of a resilient and efficient cybersecurity stack. She elaborates on the integration of various concepts like endpoint protection product (EPP), endpoint detection and response (EDR), and managed detection and response (MDR) into a single efficient agent, stressing the significance of regular patch management and advanced reporting.
Dive deeper into specific cybersecurity products that embrace the robust Zero-Trust model, like Panda Adaptive Defense 360 and ThreatLocker, and understand how they can suitably fit into varying scales of businesses and homes. Felicia additionally debunks a common misconception about technology by default ensuring security and clarifies the crucial need for actively adopting an apt security profile catering to specific contexts.
In this episode, we also discuss the importance of equitable administrative access, insist on local data collection and prevention of unauthorized data file collection, and delve into the need for stringent network security in the face of growing security breaches and ransomware attacks. Understand the comparison between different products, their cost differences, and the underlying need to harmonize cybersecurity mechanisms with operational structures, concluding with an open invitation for consultations on effective and budget-friendly cybersecurity solutions.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Good morning. You're listening to Breakfast Bites, and I'm Felicia King.
Today's show, I'm going to be talking about zero-trust cybersecurity posture.
What the heck is it? Why should we care?
Let's talk also about the limits on the number of agents that should exist on any endpoint.
And we're going to parlay that also into some related topics,
(00:24):
such as security stack and paradigms associated with cybersecurity.
And then talking about some specific products so that you can have a clue about
what products are out there that you could or should be using.
Now, this is definitely going to be a business as well as residential relevant conversation.
(00:46):
So let's get started.
Let's first talk about a cybersecurity paradigm that's called Zero Trust Posture.
Now, back in 2016, roughly around the January timeframe,
what I witnessed happen was that individuals who did not have,
(01:08):
and certainly businesses as well,
who did not have a network layer security appliance at that time that was configured
in a hard and secured way.
Well, they lacked that network layer protection that would stop the bad stuff
from getting getting to their computer, you know, through this network layer.
(01:30):
So then the only thing that was there to stop the bad stuff or to handle it
in any way was after it had already been delivered to the computer,
then theoretically the software that's installed there is supposed to be fast
enough to be able to respond to that threat and quarantine it or do things to it in general.
(01:53):
At that point in time, there was not zero trust technology in existence,
at least not in the realm of what was accessible to the small to medium business market.
And really, you need to realize that anything that is accessible to the SMB
market is also accessible to the residential market.
(02:15):
It may not be directly serviceable in a self-service model for the residential market.
However, it is cost-effective enough to be in the residential market.
So generally, you're going to, if you are a residential user who,
or, you know, I mean, really think about it this way, too.
Let's just say you're working from home and you've got a little home-based business.
(02:40):
You know, you're going to be as price sensitive, most likely,
as a typical residential user is going to be.
Maybe just slightly less. So you also need to know that these strategies are
directly applicable to you and they're cost effective. Okay.
So what I saw in this January 2016 time frame was that everybody started getting
breached who did not have the capabilities in their technology stack to block the bad stuff.
(03:09):
As before, right?
As it was coming through the network before it got to their computer.
So this is really the creme de la creme name of the game.
I actually saw on a forum yesterday a statement where this guy tried using a
little agent that was intended to provide a software-based defined networking solution,
(03:37):
and he was finding where it was locking up and blue-screening the computer.
So this is one of the failings that can happen with that strategy.
And I'm not saying I'm totally against things like that. They do have their time and place.
But, you know, a lot of this stuff is incredibly complicated and very highly
contextual, which is why you really should not try and do it on your own.
(03:58):
So if we have the ability to have a network layer security appliance that has
its own processor, it has its own memory,
it's not an additional thing that's any load on your computer,
and it also has the leverage of scale,
meaning even if we're just talking about your five PCs at home,
including, you know, your Roku and your Amazon Fire device and your phones and
(04:23):
whatever the heck else you've got running around your house,
all of those things need network layer protection, and one network layer security
appliance can provide all that flexible network layer security to them if it
is correctly configured.
If you try and do this stuff on a self-service basis, it's just not going to work.
I've seen all of the self-service residential market quality devices out there.
(04:49):
In fact, I've even looked at the Meraki small to medium business stuff.
And all I have to say is junk, junk, and ineffective junk. It's just junk, junk, and junk.
So, you know, if you think you're getting network layer security from any of
those things, It's called theater at that point.
You're just engaging in security theater because that's not actually what it's providing.
(05:10):
So in this zero trust posture, which is really where we need to get to these days,
this is really crucial because that pivotal change in the January 2016 timeframe
was that once the bad doo-doo got onto the endpoint,
it didn't matter if the security software caught it and quarantined it and stopped it.
(05:33):
The bad stuff, the malware and viruses are so nasty now that they damage that
computer in an irrecoverable way.
I mean, it's just always going to have pixies and weirdnesses and have problems after that.
So you're either in a situation where now you have to do an expensive recover
from a full system image, or you have to rebuild the computer from scratch.
(05:58):
Either way, those are both very expensive propositions, the annual cost profile
of the network layer security appliance is less than a single computer rebuild
or a single computer restore.
So think about it from that perspective.
Network layer security is incredibly effective. It functions on a zero-trust
(06:20):
basis, meaning that when that device is correctly configured,
it's only going to allow what we have allowed.
It's not going to just trust things in general.
Now, this is also an absolute necessity of an approach these days when we're
talking about endpoint protection software and endpoint and detection and response software,
(06:44):
as well as theories like managed detection and response.
Now, so now we're getting into this whole concept of what is this cybersecurity
stack? What do you actually need?
So first, we know we need a network layer security appliance because we've got
to stop as much of the bad doo-doo before it ever even gets to your computer.
But once the stuff has been allowed to get to your computer,
(07:06):
another layer of inspection needs to be happening there.
And the EPP product and the EDR product hopefully are combined with an MDR are as well.
So we're talking about endpoint protection product, endpoint detection and response,
and managed detection and response.
(07:26):
All of this hopefully should be one agent that has all of those pieces of functionality.
Hopefully it also has things like advanced reporting and compliance risk assessment,
and hopefully you'd also be bundling that with some services like like patch management.
If we're not applying patches, then we have open, unpatched, known.
(07:52):
Vulnerable security holes in the computer that just need to be fixed, right?
So patch management is most definitely an absolute mandatory component of any
sort of a cybersecurity approach.
So on this element of the zero trust EPP EDR model, we're really talking about
(08:13):
the posture of the product.
The world is filled with ineffective cybersecurity products.
Many of them are suffering from the old paradigm.
And the old paradigm is one where it is not functioning on a zero-trust basis.
Now, I recently, within the last six months, I switched myself,
(08:35):
and certainly we're now switching all of our clients, to a new product.
And that product has a zero-trust posture.
And that zero trust posture is that anything that tries to execute on that endpoint,
if it is not known, if its behavior is questionable, then it's not going to be allowed.
(08:58):
And the software will present a message to the end user that says,
you know, this application is going to be blocked until we've vetted it.
Then that executable will be uploaded into a managed detection and response
threat hunting platform automatically by artificial intelligence, and it will be analyzed.
(09:21):
And if the AI can't clear it, then there are human beings that exist in a data
center that are then going to look at that stuff.
And that's where this is a drastically different approach.
And I've tested the heck out of this and it works very well.
There is only one product on the market that I'm aware of that's even more anal retentive,
(09:43):
and that product is really only applicable for scenarios where there's a fully
staffed security operations center because it's going to be even more intense.
It is a platform that is designed more so for end user tries to do something
(10:03):
and they're getting blocked.
They can request approval, but then the expectation is that there is someone there,
on the other end of that software 24 hours a day who's monitoring that,
who then is going to analyze that request and approve it or deny it or,
(10:25):
you know, physically call the end user and talk to them like a human being,
any number of varieties of approaches there.
So you can now Now imagine that if you don't have that software package combined
or partnered with a 24-hour-a-day manned security operations center,
then that really doesn't work.
And so that approach is not very effective.
(10:48):
In the SMB and nor the residential space.
It's more of a mid-market type of solution if you have in excess of 350,
more so approaching 500 users at a single company, that starts to make sense.
So the two products that I'm talking about specifically that have this zero
(11:10):
trust posture, one is called Panda Adaptive Defense 360, and then the other
one's called ThreatLocker.
Now, I like ThreatLocker, again, in that instance where you have a fully staffed,
24-hour-a-day, manned, internal organization security operations center.
Now, this is not part of what's called an outsourced SOC.
(11:33):
It is not part of that. An outsourced SOC is not going to manage your ThreatLocker
application configuration for you.
That's not going to happen. I'll make another comment, which is that the vast
majority of managed service providers out there struggle with a product like
ThreatLocker because the only people that are really qualified to even effectively
(11:54):
get trained on it are people like me,
people who are already very high-end security engineers or security architects.
So you can't take, you know, an average systems engineer and expect that they're
going to do well with that product.
And it's very similar to a statement about how you can't take an average systems
(12:16):
engineer and suddenly turn them into a network security engineer just through some training.
Training, just because they may get some training that says,
okay, well, if you have this problem, and then you decide that this other thing
is the solution, here's how you execute those configuration changes.
You know, that's all well and good. That's what the training provides.
(12:38):
What it does not do is it does not fill that middle gap, which is enormous, by the way.
It's like the Grand Canyon in size, that middle gap is all about your judgment
call as to the context of the risk associated with either approving or disapproving,
or should we do some investigation before we approve it?
(13:01):
You know, I mean, there's a dozen questions that get answered,
that get asked and answered there.
And it is an artistry. Security, good quality security is an art form.
So the thing that I really find spectacularly effective about Panda AD360 is
that it, when properly configured,
(13:23):
because I always want to caveat that, that everything is all about whether or
not it's properly configured.
Nothing, nothing, nothing comes secure by default out of the box. It doesn't exist.
There is no technology that does that. technology out of the box by default
is designed to be accessible.
(13:44):
Accessibility and security are on different ends of the spectrum.
So the more security you have, you may have less accessibility.
So necessarily the default configuration for something is going to err on the side of accessibility.
And then it is the responsibility of a security engineer to come in and configure
(14:06):
a security profile for that thing that is within the context of what's appropriate for that situation,
you know, for that business, those resources, those assets, that use case.
But Panda AD360, it's not a residential product.
It can be used in the residential space if it's being managed effectively by
(14:27):
a high-quality managed security services provider, which is what QPC is.
Then it's very
very affordable very cost effective and it's
a phenomenal tool because it it is not
like in your face it's a very low noise product that takes a zero trust posture
(14:51):
and in the deployment of the product to clients and certainly to our own systems
i have had zero false positives.
There are some times where someone will be browsing to a site that they don't
think should be categorized in a particular way, and that's fine.
Then we can just set up an exception for that.
(15:11):
But that is a rare situation that that crops up, and it's very easy to deal with.
The reporting that you get out of the tool and the fact that it is back-ended
into a threat hunting team that sits in a data center and looks at the threat correlation data,
(15:33):
what they're able to do is, you know, 24 hours a day, they're looking for problems.
If they see problems, then they tell us about problems.
And then we're expected to action it on our end.
And I think that's really the correct approach,
because you have to be very, very careful about who you continue to grant delegated
(16:00):
administrative access to endpoints through the installation of agents.
So, if you put a SOC agent on a computer or you put a managed detection and
response agent, if you put an MDR agent on a computer, you have to be asking
very intense questions about MDR.
What privileges do the people that sit in that data center that man this software,
(16:25):
that look at the telemetry data and the analytics data,
what privileges do they now have to that system simply because that agent is installed there?
Darn good question. Boy, you better be asking that. And the answer that you
get back better be satisfactory.
So first off, where's the data getting pulled back to? I do not want to hear
(16:48):
that the data is going to China or Czechoslovakia or Israel or any place like that.
Boy, it better be sitting inside of a data center in the United States.
Or number one, you know, I'm done with that right there.
Secondarily of all, that agent better not give them the ability to execute scripts
(17:08):
or grab actual data files.
Profiles because see if they can execute scripts then they
can do all kinds of things to those endpoints now we
can sit here and talk about how that SOC
third party or the MDR third party is going
to only hire excellent people that they trust that they vet and they're managing
(17:29):
and blah blah blah all that fine but you know what the fact of the matter is
that human beings have been corrupt since the beginning of time and it would
be naive of us to think that there will will never be any issue with any staff
at any company that we ever deal with, ever, ever, ever.
That's just a ridiculous proposition.
So to suggest that you can just bring anybody into the fold is,
(17:53):
no, that's not a good, that's really not a good assumption.
So a good MDR or a good SOC agent will will only deliver MD5 hashes of files for analysis,
and it will only give them the telemetry data about what's actually going on.
It may deliver things like event logs, processes that are running,
(18:18):
you know, basically the data that they need in order to do analysis. However.
It's not going to give them the ability to execute scripts on the endpoint,
nor will it give them the ability to grab data files and then send them elsewhere.
See, if you can execute scripts, you can basically do anything.
You know, I mean, scripts are effectively scripts running under the system context
(18:43):
is effectively full total ownership of everything that's on that computer,
including everything that it talks to, you know, anything that's associated
with any of the data streams in and out of that computer.
Then, then that's, script and the processes that it's calling and what it can
execute and do effectively owns all of that.
So that's an incredibly pertinent question you have to ask.
(19:04):
So what I found is that first off, let's just do recap on this.
Number one, network layer security on a hardcore level is absolutely mandatory.
This has just become even more apparent every time there is a security breach
statement, every time there's a ransomware, every time somebody is publishing
(19:26):
an article that talks about like, oh yeah, here's how the bad guys got us.
You go and you look at what ways in which properly configured network layer
security could have stopped all of that.
And you can definitely find that information.
And it is always shocking to me when organizations do not have proper network layer security.
(19:48):
I recently was talking to a couple of guys who were pretty high-end network
guys at a couple very, very large local organizations.
And I had asked them whether or not they were using deep packet inspection in their business.
And the answer was no, in both cases. My head wants to just pop off with stuff like that.
I'm like, okay, so this is not a matter of you don't have the people,
(20:10):
you don't have the resources, you don't have the budget.
That's, of course, you have all of those things.
What you don't have is you don't have the political will. There's nobody inside
the organization with enough technical and political skill to get it done,
to get done the correct implementation of security strategy.
That's the issue. And that issue right there is exactly how Target got breached.
(20:36):
And that's how Equifax got breached.
So let's take a lesson from that.
Okay, so point number one, network layers, security, hardcore, mandatory.
Point number two, zero trust posture with regards to your endpoint protection
products and endpoint detection and response,
(20:58):
etc., is now the only strategy that is effective.
So if you're using an endpoint protection product that does not have a zero
trust posture, then you need to call me, basically. Call me, I will help you.
Then you should also be limiting the number of agents that are on endpoints.
(21:21):
So what's really key is to find that product that has all this feature set.
Like, can we have just one agent on the computer that is going to do patch management
for us, do some, you know, inventory telemetry data collection,
give us the the ability to do some reporting, and for compliance and cybersecurity governance.
(21:46):
And also have all the security components that we need,
and plugged into a managed detection and response data center that is staffed
24 hours a day by individuals who are trained to do threat hunting and threat analytics.
So yes, it is actually possible to have a single agent that can do that.
(22:10):
But boy, you got to look really, really hard for that.
I have found that product after many months of doing testing and seeking for that.
And unfortunately, this still leaves us with the requirement to have a remote
monitoring and management agent on the endpoints, as well as probably one other
(22:31):
agent for some other circumstances.
So probably three in total.
Now, I've recently had a client who is getting acquired or theoretically going
to be acquired in a few months by another company come to us and talk about
a product called Arctic Wolf,
which is, you know, it's really Arctic Wolf is an obscenely expensive service.
(22:53):
They are about $60,000 a year.
So the fact that anybody would even propose this to a business of 15 people
is just it's preposterous. Okay, it's just preposterous.
And keep in mind, too, that if you look at like what Arctic Wolf does, it is a SOC, they do SIM,
(23:16):
sure they do threat hunting, but it's all after the fact, and it's duplicative
of other services that are already existing with Panda AD360. 360.
Furthermore, having Arctic Wolf does not alleviate the necessity to actually
have an EDR EPP and a threat detection and response platform on every single endpoint.
(23:41):
It doesn't alleviate the requirement to have a remote monitoring and management agent.
You know, it just doesn't, it doesn't alleviate anything.
It's just a $60,000 expense you didn't need to spend money on.
So the solution that I put forward to the client was Panda AD 360 for all of their endpoints.
(24:05):
And then, of course, an RMM and another little compliance and reporting and management tool.
So, you know, in the end of the day, that total expense for them annually is
probably going to be around $10,000 as opposed to $60,000.
And keep in mind that the $60,000 expenditure was not even going to,
(24:29):
you know, it wasn't even going to solve the problems. I don't think it was going
to solve any of the problems.
Now, let's talk about one final piece here, which is the support model.
It's absolutely critical that you are utilizing components in your cybersecurity
stack that function with your support model.
So like, let's say, for example, you wanted to get Arctic Wolf and you wanted
(24:52):
to spend $60,000, then the question is, are they even going to...
Participate in communications and are they going to cooperate with your managed services provider?
Well, I'll tell you bluntly, the answer is no, they don't.
The entire Arctic Wolf business model is really around the realm of doing business
(25:14):
with organizations like, you know, SC Johnson or Modine or Snap-on,
where they have full-time internal IT whose job is to do nothing other than security, Right.
That's their expectation of who they interact with.
They will not interact with anyone else on behalf of the client.
(25:35):
So if you don't happen to have full time internal security architect who who,
by the way, if you did hire that person, they would probably make more money
than the CEO of the company in a small to medium business. Okay.
So, you know, this is clearly not going to happen.
So that's their paradigm. So that should be another just blazing level of exclusion that says,
(26:03):
okay, Arctic Wolf doesn't make any sense from a financial perspective,
nor does it even have the right cybersecurity posture.
It doesn't eliminate us from having any other expenses.
And it doesn't work with our support model.
So these are all things that I want you to think about as you are contemplating
(26:27):
what the right products and features are that you should be utilizing in your
cybersecurity posture.
And, you know, if all of this was a bit of a brain teaser for you,
then my best suggestion is please just give me a call. Let's talk about it. I can help you.
And the number here at QPC is 262-553-6510, standard business hours,
(26:55):
central standard time, as you would normally expect. website is qualityplusconsulting.com.
Cybersecurity is what we do, and I'm an expert at designing cybersecurity stacks
and solutions that are effective and also are effective.
Cost effective. So they have the technical efficacy, but they are not in the
(27:17):
financial unobtainium realm, which is really critically important.
There's so many things out there that are just obscene quantities of money.
It's like, oh, $300 in a month. And it's like, really? $300 a month?
Yeah. So anyways, that's it for today's show.
I wanted you to be very cognizant about thinking about changing your paradigm
(27:42):
in terms of security, cybersecurity,
zero trust posture thinking, limiting the number of agents that are on endpoints,
and starting to use the right criteria with regards to selecting not only the support model,
but also the parts and pieces that need to be in play to provide a successful outcome to you.
(28:09):
Oh, I'll throw out one other tidbit too, is think very deeply about what your
governance requirements are.
Like, do you have to comply with PCI or HIPAA, GLBA, NIST CSF?
Do you have to comply with CMMC?
Any number of these These things are going to drive your own GRC,
(28:31):
the governance, you know, and responsibility sort of things that are going to
drive, oh, well, we have to have 12 months of logging or 24 months of logging.
And what kind of logging do we have to have?
You have to think about all those things, too, as part of when you're coming
up with plans for your cybersecurity stack.
Well, that's it for today. Hope you enjoyed the show.
Good morning. You're listening to Breakfast Bites, and I'm Felicia King.
Today's show, I'm going to be talking about zero-trust cybersecurity posture.
What the heck is it? Why should we care?
Let's talk also about the limits on the number of agents that should exist on any endpoint.
And we're going to parlay that also into some related topics,
(00:24):
such as security stack and paradigms associated with cybersecurity.
And then talking about some specific products so that you can have a clue about
what products are out there that you could or should be using.
Now, this is definitely going to be a business as well as residential relevant conversation.
(00:46):
So let's get started.
Let's first talk about a cybersecurity paradigm that's called Zero Trust Posture.
Now, back in 2016, roughly around the January timeframe,
what I witnessed happen was that individuals who did not have,
(01:08):
and certainly businesses as well,
who did not have a network layer security appliance at that time that was configured
in a hard and secured way.
Well, they lacked that network layer protection that would stop the bad stuff
from getting getting to their computer, you know, through this network layer.
(01:30):
So then the only thing that was there to stop the bad stuff or to handle it
in any way was after it had already been delivered to the computer,
then theoretically the software that's installed there is supposed to be fast
enough to be able to respond to that threat and quarantine it or do things to it in general.
(01:53):
At that point in time, there was not zero trust technology in existence,
at least not in the realm of what was accessible to the small to medium business market.
And really, you need to realize that anything that is accessible to the SMB
market is also accessible to the residential market.
(02:15):
It may not be directly serviceable in a self-service model for the residential market.
However, it is cost-effective enough to be in the residential market.
So generally, you're going to, if you are a residential user who,
or, you know, I mean, really think about it this way, too.
Let's just say you're working from home and you've got a little home-based business.
(02:40):
You know, you're going to be as price sensitive, most likely,
as a typical residential user is going to be.
Maybe just slightly less. So you also need to know that these strategies are
directly applicable to you and they're cost effective. Okay.
So what I saw in this January 2016 time frame was that everybody started getting
breached who did not have the capabilities in their technology stack to block the bad stuff.
(03:09):
As before, right?
As it was coming through the network before it got to their computer.
So this is really the creme de la creme name of the game.
I actually saw on a forum yesterday a statement where this guy tried using a
little agent that was intended to provide a software-based defined networking solution,
(03:37):
and he was finding where it was locking up and blue-screening the computer.
So this is one of the failings that can happen with that strategy.
And I'm not saying I'm totally against things like that. They do have their time and place.
But, you know, a lot of this stuff is incredibly complicated and very highly
contextual, which is why you really should not try and do it on your own.
(03:58):
So if we have the ability to have a network layer security appliance that has
its own processor, it has its own memory,
it's not an additional thing that's any load on your computer,
and it also has the leverage of scale,
meaning even if we're just talking about your five PCs at home,
including, you know, your Roku and your Amazon Fire device and your phones and
(04:23):
whatever the heck else you've got running around your house,
all of those things need network layer protection, and one network layer security
appliance can provide all that flexible network layer security to them if it
is correctly configured.
If you try and do this stuff on a self-service basis, it's just not going to work.
I've seen all of the self-service residential market quality devices out there.
(04:49):
In fact, I've even looked at the Meraki small to medium business stuff.
And all I have to say is junk, junk, and ineffective junk. It's just junk, junk, and junk.
So, you know, if you think you're getting network layer security from any of
those things, It's called theater at that point.
You're just engaging in security theater because that's not actually what it's providing.
(05:10):
So in this zero trust posture, which is really where we need to get to these days,
this is really crucial because that pivotal change in the January 2016 timeframe
was that once the bad doo-doo got onto the endpoint,
it didn't matter if the security software caught it and quarantined it and stopped it.
(05:33):
The bad stuff, the malware and viruses are so nasty now that they damage that
computer in an irrecoverable way.
I mean, it's just always going to have pixies and weirdnesses and have problems after that.
So you're either in a situation where now you have to do an expensive recover
from a full system image, or you have to rebuild the computer from scratch.
(05:58):
Either way, those are both very expensive propositions, the annual cost profile
of the network layer security appliance is less than a single computer rebuild
or a single computer restore.
So think about it from that perspective.
Network layer security is incredibly effective. It functions on a zero-trust
(06:20):
basis, meaning that when that device is correctly configured,
it's only going to allow what we have allowed.
It's not going to just trust things in general.
Now, this is also an absolute necessity of an approach these days when we're
talking about endpoint protection software and endpoint and detection and response software,
(06:44):
as well as theories like managed detection and response.
Now, so now we're getting into this whole concept of what is this cybersecurity
stack? What do you actually need?
So first, we know we need a network layer security appliance because we've got
to stop as much of the bad doo-doo before it ever even gets to your computer.
But once the stuff has been allowed to get to your computer,
(07:06):
another layer of inspection needs to be happening there.
And the EPP product and the EDR product hopefully are combined with an MDR are as well.
So we're talking about endpoint protection product, endpoint detection and response,
and managed detection and response.
(07:26):
All of this hopefully should be one agent that has all of those pieces of functionality.
Hopefully it also has things like advanced reporting and compliance risk assessment,
and hopefully you'd also be bundling that with some services like like patch management.
If we're not applying patches, then we have open, unpatched, known.
(07:52):
Vulnerable security holes in the computer that just need to be fixed, right?
So patch management is most definitely an absolute mandatory component of any
sort of a cybersecurity approach.
So on this element of the zero trust EPP EDR model, we're really talking about
(08:13):
the posture of the product.
The world is filled with ineffective cybersecurity products.
Many of them are suffering from the old paradigm.
And the old paradigm is one where it is not functioning on a zero-trust basis.
Now, I recently, within the last six months, I switched myself,
(08:35):
and certainly we're now switching all of our clients, to a new product.
And that product has a zero-trust posture.
And that zero trust posture is that anything that tries to execute on that endpoint,
if it is not known, if its behavior is questionable, then it's not going to be allowed.
(08:58):
And the software will present a message to the end user that says,
you know, this application is going to be blocked until we've vetted it.
Then that executable will be uploaded into a managed detection and response
threat hunting platform automatically by artificial intelligence, and it will be analyzed.
(09:21):
And if the AI can't clear it, then there are human beings that exist in a data
center that are then going to look at that stuff.
And that's where this is a drastically different approach.
And I've tested the heck out of this and it works very well.
There is only one product on the market that I'm aware of that's even more anal retentive,
(09:43):
and that product is really only applicable for scenarios where there's a fully
staffed security operations center because it's going to be even more intense.
It is a platform that is designed more so for end user tries to do something
(10:03):
and they're getting blocked.
They can request approval, but then the expectation is that there is someone there,
on the other end of that software 24 hours a day who's monitoring that,
who then is going to analyze that request and approve it or deny it or,
(10:25):
you know, physically call the end user and talk to them like a human being,
any number of varieties of approaches there.
So you can now Now imagine that if you don't have that software package combined
or partnered with a 24-hour-a-day manned security operations center,
then that really doesn't work.
And so that approach is not very effective.
(10:48):
In the SMB and nor the residential space.
It's more of a mid-market type of solution if you have in excess of 350,
more so approaching 500 users at a single company, that starts to make sense.
So the two products that I'm talking about specifically that have this zero
(11:10):
trust posture, one is called Panda Adaptive Defense 360, and then the other
one's called ThreatLocker.
Now, I like ThreatLocker, again, in that instance where you have a fully staffed,
24-hour-a-day, manned, internal organization security operations center.
Now, this is not part of what's called an outsourced SOC.
(11:33):
It is not part of that. An outsourced SOC is not going to manage your ThreatLocker
application configuration for you.
That's not going to happen. I'll make another comment, which is that the vast
majority of managed service providers out there struggle with a product like
ThreatLocker because the only people that are really qualified to even effectively
(11:54):
get trained on it are people like me,
people who are already very high-end security engineers or security architects.
So you can't take, you know, an average systems engineer and expect that they're
going to do well with that product.
And it's very similar to a statement about how you can't take an average systems
(12:16):
engineer and suddenly turn them into a network security engineer just through some training.
Training, just because they may get some training that says,
okay, well, if you have this problem, and then you decide that this other thing
is the solution, here's how you execute those configuration changes.
You know, that's all well and good. That's what the training provides.
(12:38):
What it does not do is it does not fill that middle gap, which is enormous, by the way.
It's like the Grand Canyon in size, that middle gap is all about your judgment
call as to the context of the risk associated with either approving or disapproving,
or should we do some investigation before we approve it?
(13:01):
You know, I mean, there's a dozen questions that get answered,
that get asked and answered there.
And it is an artistry. Security, good quality security is an art form.
So the thing that I really find spectacularly effective about Panda AD360 is
that it, when properly configured,
(13:23):
because I always want to caveat that, that everything is all about whether or
not it's properly configured.
Nothing, nothing, nothing comes secure by default out of the box. It doesn't exist.
There is no technology that does that. technology out of the box by default
is designed to be accessible.
(13:44):
Accessibility and security are on different ends of the spectrum.
So the more security you have, you may have less accessibility.
So necessarily the default configuration for something is going to err on the side of accessibility.
And then it is the responsibility of a security engineer to come in and configure
(14:06):
a security profile for that thing that is within the context of what's appropriate for that situation,
you know, for that business, those resources, those assets, that use case.
But Panda AD360, it's not a residential product.
It can be used in the residential space if it's being managed effectively by
(14:27):
a high-quality managed security services provider, which is what QPC is.
Then it's very
very affordable very cost effective and it's
a phenomenal tool because it it is not
like in your face it's a very low noise product that takes a zero trust posture
(14:51):
and in the deployment of the product to clients and certainly to our own systems
i have had zero false positives.
There are some times where someone will be browsing to a site that they don't
think should be categorized in a particular way, and that's fine.
Then we can just set up an exception for that.
(15:11):
But that is a rare situation that that crops up, and it's very easy to deal with.
The reporting that you get out of the tool and the fact that it is back-ended
into a threat hunting team that sits in a data center and looks at the threat correlation data,
(15:33):
what they're able to do is, you know, 24 hours a day, they're looking for problems.
If they see problems, then they tell us about problems.
And then we're expected to action it on our end.
And I think that's really the correct approach,
because you have to be very, very careful about who you continue to grant delegated
(16:00):
administrative access to endpoints through the installation of agents.
So, if you put a SOC agent on a computer or you put a managed detection and
response agent, if you put an MDR agent on a computer, you have to be asking
very intense questions about MDR.
What privileges do the people that sit in that data center that man this software,
(16:25):
that look at the telemetry data and the analytics data,
what privileges do they now have to that system simply because that agent is installed there?
Darn good question. Boy, you better be asking that. And the answer that you
get back better be satisfactory.
So first off, where's the data getting pulled back to? I do not want to hear
(16:48):
that the data is going to China or Czechoslovakia or Israel or any place like that.
Boy, it better be sitting inside of a data center in the United States.
Or number one, you know, I'm done with that right there.
Secondarily of all, that agent better not give them the ability to execute scripts
(17:08):
or grab actual data files.
Profiles because see if they can execute scripts then they
can do all kinds of things to those endpoints now we
can sit here and talk about how that SOC
third party or the MDR third party is going
to only hire excellent people that they trust that they vet and they're managing
(17:29):
and blah blah blah all that fine but you know what the fact of the matter is
that human beings have been corrupt since the beginning of time and it would
be naive of us to think that there will will never be any issue with any staff
at any company that we ever deal with, ever, ever, ever.
That's just a ridiculous proposition.
So to suggest that you can just bring anybody into the fold is,
(17:53):
no, that's not a good, that's really not a good assumption.
So a good MDR or a good SOC agent will will only deliver MD5 hashes of files for analysis,
and it will only give them the telemetry data about what's actually going on.
It may deliver things like event logs, processes that are running,
(18:18):
you know, basically the data that they need in order to do analysis. However.
It's not going to give them the ability to execute scripts on the endpoint,
nor will it give them the ability to grab data files and then send them elsewhere.
See, if you can execute scripts, you can basically do anything.
You know, I mean, scripts are effectively scripts running under the system context
(18:43):
is effectively full total ownership of everything that's on that computer,
including everything that it talks to, you know, anything that's associated
with any of the data streams in and out of that computer.
Then, then that's, script and the processes that it's calling and what it can
execute and do effectively owns all of that.
So that's an incredibly pertinent question you have to ask.
(19:04):
So what I found is that first off, let's just do recap on this.
Number one, network layer security on a hardcore level is absolutely mandatory.
This has just become even more apparent every time there is a security breach
statement, every time there's a ransomware, every time somebody is publishing
(19:26):
an article that talks about like, oh yeah, here's how the bad guys got us.
You go and you look at what ways in which properly configured network layer
security could have stopped all of that.
And you can definitely find that information.
And it is always shocking to me when organizations do not have proper network layer security.
(19:48):
I recently was talking to a couple of guys who were pretty high-end network
guys at a couple very, very large local organizations.
And I had asked them whether or not they were using deep packet inspection in their business.
And the answer was no, in both cases. My head wants to just pop off with stuff like that.
I'm like, okay, so this is not a matter of you don't have the people,
(20:10):
you don't have the resources, you don't have the budget.
That's, of course, you have all of those things.
What you don't have is you don't have the political will. There's nobody inside
the organization with enough technical and political skill to get it done,
to get done the correct implementation of security strategy.
That's the issue. And that issue right there is exactly how Target got breached.
(20:36):
And that's how Equifax got breached.
So let's take a lesson from that.
Okay, so point number one, network layers, security, hardcore, mandatory.
Point number two, zero trust posture with regards to your endpoint protection
products and endpoint detection and response,
(20:58):
etc., is now the only strategy that is effective.
So if you're using an endpoint protection product that does not have a zero
trust posture, then you need to call me, basically. Call me, I will help you.
Then you should also be limiting the number of agents that are on endpoints.
(21:21):
So what's really key is to find that product that has all this feature set.
Like, can we have just one agent on the computer that is going to do patch management
for us, do some, you know, inventory telemetry data collection,
give us the the ability to do some reporting, and for compliance and cybersecurity governance.
(21:46):
And also have all the security components that we need,
and plugged into a managed detection and response data center that is staffed
24 hours a day by individuals who are trained to do threat hunting and threat analytics.
So yes, it is actually possible to have a single agent that can do that.
(22:10):
But boy, you got to look really, really hard for that.
I have found that product after many months of doing testing and seeking for that.
And unfortunately, this still leaves us with the requirement to have a remote
monitoring and management agent on the endpoints, as well as probably one other
(22:31):
agent for some other circumstances.
So probably three in total.
Now, I've recently had a client who is getting acquired or theoretically going
to be acquired in a few months by another company come to us and talk about
a product called Arctic Wolf,
which is, you know, it's really Arctic Wolf is an obscenely expensive service.
(22:53):
They are about $60,000 a year.
So the fact that anybody would even propose this to a business of 15 people
is just it's preposterous. Okay, it's just preposterous.
And keep in mind, too, that if you look at like what Arctic Wolf does, it is a SOC, they do SIM,
(23:16):
sure they do threat hunting, but it's all after the fact, and it's duplicative
of other services that are already existing with Panda AD360. 360.
Furthermore, having Arctic Wolf does not alleviate the necessity to actually
have an EDR EPP and a threat detection and response platform on every single endpoint.
(23:41):
It doesn't alleviate the requirement to have a remote monitoring and management agent.
You know, it just doesn't, it doesn't alleviate anything.
It's just a $60,000 expense you didn't need to spend money on.
So the solution that I put forward to the client was Panda AD 360 for all of their endpoints.
(24:05):
And then, of course, an RMM and another little compliance and reporting and management tool.
So, you know, in the end of the day, that total expense for them annually is
probably going to be around $10,000 as opposed to $60,000.
And keep in mind that the $60,000 expenditure was not even going to,
(24:29):
you know, it wasn't even going to solve the problems. I don't think it was going
to solve any of the problems.
Now, let's talk about one final piece here, which is the support model.
It's absolutely critical that you are utilizing components in your cybersecurity
stack that function with your support model.
So like, let's say, for example, you wanted to get Arctic Wolf and you wanted
(24:52):
to spend $60,000, then the question is, are they even going to...
Participate in communications and are they going to cooperate with your managed services provider?
Well, I'll tell you bluntly, the answer is no, they don't.
The entire Arctic Wolf business model is really around the realm of doing business
(25:14):
with organizations like, you know, SC Johnson or Modine or Snap-on,
where they have full-time internal IT whose job is to do nothing other than security, Right.
That's their expectation of who they interact with.
They will not interact with anyone else on behalf of the client.
(25:35):
So if you don't happen to have full time internal security architect who who,
by the way, if you did hire that person, they would probably make more money
than the CEO of the company in a small to medium business. Okay.
So, you know, this is clearly not going to happen.
So that's their paradigm. So that should be another just blazing level of exclusion that says,
(26:03):
okay, Arctic Wolf doesn't make any sense from a financial perspective,
nor does it even have the right cybersecurity posture.
It doesn't eliminate us from having any other expenses.
And it doesn't work with our support model.
So these are all things that I want you to think about as you are contemplating
(26:27):
what the right products and features are that you should be utilizing in your
cybersecurity posture.
And, you know, if all of this was a bit of a brain teaser for you,
then my best suggestion is please just give me a call. Let's talk about it. I can help you.
And the number here at QPC is 262-553-6510, standard business hours,
(26:55):
central standard time, as you would normally expect. website is qualityplusconsulting.com.
Cybersecurity is what we do, and I'm an expert at designing cybersecurity stacks
and solutions that are effective and also are effective.
Cost effective. So they have the technical efficacy, but they are not in the
(27:17):
financial unobtainium realm, which is really critically important.
There's so many things out there that are just obscene quantities of money.
It's like, oh, $300 in a month. And it's like, really? $300 a month?
Yeah. So anyways, that's it for today's show.
I wanted you to be very cognizant about thinking about changing your paradigm
(27:42):
in terms of security, cybersecurity,
zero trust posture thinking, limiting the number of agents that are on endpoints,
and starting to use the right criteria with regards to selecting not only the support model,
but also the parts and pieces that need to be in play to provide a successful outcome to you.
(28:09):
Oh, I'll throw out one other tidbit too, is think very deeply about what your
governance requirements are.
Like, do you have to comply with PCI or HIPAA, GLBA, NIST CSF?
Do you have to comply with CMMC?
Any number of these These things are going to drive your own GRC,
(28:31):
the governance, you know, and responsibility sort of things that are going to
drive, oh, well, we have to have 12 months of logging or 24 months of logging.
And what kind of logging do we have to have?
You have to think about all those things, too, as part of when you're coming
up with plans for your cybersecurity stack.
Well, that's it for today. Hope you enjoyed the show.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.